[Opendnssec-user] how to match/correlate key's CKA_ID & PUBKEY?

PGNet Dev Wed, 22 Feb 2017 09:23:57 -0800

For a given list of keys in an ODS2 db,

        ods-enforcer key list -v
                Keys:
                Zone:                           Keytype: State:    Date of next 
transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
                example.com                     KSK      retire    waiting for 
ds-gone      384   14         d2f...  SoftHSM     91234
                example.com                     KSK      retire    waiting for 
ds-gone      384   14         9f1...  SoftHSM     13454
                example.com                     KSK      retire    waiting for 
ds-gone      384   14         50d...  SoftHSM     4215
                example.com                     KSK      retire    waiting for 
ds-gone      384   14         f90...  SoftHSM     69524
                example.com                     KSK      retire    waiting for 
ds-gone      384   14         4f8...  SoftHSM     64511
                example.com                     ZSK      retire    2017-02-22 
09:43:07      384   14         081...  SoftHSM     7944
                example.com                     KSK      ready     waiting for 
ds-seen      384   14         850...  SoftHSM     47635
                example.com                     ZSK      retire    2017-02-22 
09:43:07      384   14         b5f...  SoftHSM     2524
                example.com                     ZSK      ready     2017-02-22 
09:43:07      384   14         853...  SoftHSM     33745


        ods-enforcer key list -d
                Keys:
                Zone:                           Key role:     DS:          
DNSKEY:      RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
                example.com                     KSK           unretentive  
omnipresent  omnipresent  NA           1    1    d2f...
                example.com                     KSK           unretentive  
hidden       hidden       NA           0    0    9f1...
                example.com                     KSK           unretentive  
hidden       hidden       NA           0    0    50d...
                example.com                     KSK           unretentive  
hidden       hidden       NA           0    0    f90...
                example.com                     KSK           unretentive  
hidden       hidden       NA           0    0    4f8...
                example.com                     ZSK           NA           
hidden       NA           hidden       0    0    081...
                example.com                     KSK           rumoured     
omnipresent  omnipresent  NA           1    1    850...
                example.com                     ZSK           NA           
omnipresent  NA           unretentive  1    0    b5f...
                example.com                     ZSK           NA           
omnipresent  NA           rumoured     1    1    853...

how do you find/export the public key for a specified CKA_ID?

unlike `key import`

        key import
                --cka_id <CKA_ID>                       aka -k
                --repository <repository>               aka -r
                --zone <zone>                           aka -z
                --bits <size>                           aka -b
                --algorithm <algorithm>                 aka -g
                --keystate <state>                      aka -e
                --keytype <type>                        aka -t
                --inception_time <time>                 aka -w

which provides a --cka-id flag, `key export` does not appear to provide a 
method to correlate cka_id to public_key,

        key export
        --zone <zone> | --all                   aka -z | -a 
        --keystate <state>                      aka -e
        --keytype <type>                        aka -t 
        [--ds [--sha1]]                         aka -d [-s]

        ods-enforcer key export --all
                example.com.     300     IN      DNSKEY  257 3 14 YJ9...
                example.com.     300     IN      DNSKEY  257 3 14 jbP...
                example.com.     300     IN      DNSKEY  257 3 14 TQ0...
                example.com.     300     IN      DNSKEY  257 3 14 Veo...
                example.com.     300     IN      DNSKEY  257 3 14 M2u...
                example.com.     300     IN      DNSKEY  257 3 14 Lj1...

_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

[Opendnssec-user] how to match/correlate key's CKA_ID & PUBKEY?

Reply via email to